@bookedsolid/rea 0.16.0 → 0.16.1

package/agents/codex-adversarial.md

@@ -33,6 +33,8 @@ You may read additional files in the repo if needed for context, but do so read-
 2. **Validate Codex availability** — if `/codex` is not installed, report and stop. Do not silently fall back to another reviewer.
 3. **Prepare the Codex invocation** — construct the adversarial-review prompt with the diff, commit log, and any relevant context files.
 4. **Invoke `/codex:adversarial-review`** — this call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
+
+   **Model pinning (0.16.1+):** when the codex plugin's adversarial-review supports model overrides, request `gpt-5.4` with `model_reasoning_effort: high` to match the push-gate's iron-gate defaults. Pre-0.16.1, in-session adversarial reviews ran on whatever the plugin defaulted to (likely `codex-auto-review` at medium reasoning) — meaningfully WEAKER than the push-gate's `gpt-5.4` + `high`. This caused a "in-session review passes, push-gate review fails" pattern reported by helix across 014 / 015 / 016. If the plugin call accepts model parameters, pass them. If it does not, fall back to invoking `codex exec review --base <ref> --json --ephemeral -c model="gpt-5.4" -c model_reasoning_effort="high"` directly via `Bash` — same shape the push-gate uses (see `src/hooks/push-gate/codex-runner.ts::runCodexReview`). The cost of the stronger model is small relative to the cost of shipping a release with a P1 bypass that gets caught at consumer push time.
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).

package/hooks/_lib/cmd-segments.sh

@@ -71,9 +71,17 @@ _rea_split_segments() {
   # under any encoding we care about (any agent that intentionally
   # included this string would already be obviously trying to confuse
   # the splitter — and even then, the worst case is fail-closed).
+  # 0.16.1 helix-016 P1 fix: also split on single `&` (background-process
+  # operator). Pre-fix the splitter only broke on `&&|||;|`; a command like
+  # `sleep 1 & git push --force` was treated as ONE segment whose first
+  # token is `sleep`, and `any_segment_starts_with($CMD, 'git push')`
+  # missed the force-push entirely. Add `&` to the separator set, but
+  # AFTER `&&` is already swapped out so we don't break it apart.
   printf '%s\n' "$cmd" \
     | sed -E 's/>\|/__REA_GTPIPE_a8f2c1__/g' \
-    | sed -E 's/(\|\||&&|;|\|)/\n/g' \
+    | sed -E 's/&&/__REA_LOGAND_a8f2c1__/g' \
+    | sed -E 's/(\|\||;|\||&)/\n/g' \
+    | sed -E 's/__REA_LOGAND_a8f2c1__/\n/g' \
     | sed -E 's/__REA_GTPIPE_a8f2c1__/>|/g'
 }
 
@@ -151,6 +159,30 @@ any_segment_matches() {
   return 1
 }
 
+# Return 0 if any segment of $1 (RAW — no prefix-stripping) matches the
+# extended regex $2. Use this for checks where the prefix itself IS the
+# signal — e.g. H10's `HUSKY=0 git commit` detection (the prefix-stripper
+# would strip the `HUSKY=0` before any_segment_matches sees it). Also
+# right for H15 (`REA_BYPASS=...`) and H16 (alias/function defs).
+#
+# 0.16.1 helix-016 sibling fix: H10 baseline corpus regressed from
+# 0.15.0 because it migrated to `any_segment_matches` which strips
+# env-var prefixes. The check needs the raw segment to fire.
+any_segment_raw_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment
+  while IFS= read -r segment; do
+    # Trim leading whitespace for clean anchor matching, but otherwise
+    # leave the segment intact (env-var assignments preserved).
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    if printf '%s' "$segment" | grep -qiE "$pattern"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
 # Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
 # the extended regex $2. Case-insensitive. Returns 1 if no segment
 # starts with the pattern.

package/hooks/dangerous-bash-interceptor.sh

@@ -216,7 +216,7 @@ if any_segment_starts_with "$CMD" 'git[[:space:]]+commit.*--no-verify'; then
 fi
 
 # H10: HUSKY=0 bypass — suppresses all git hooks without --no-verify
-if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
+if any_segment_raw_matches "$CMD" '^HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
   add_high \
     "HUSKY=0 — bypasses all husky git hooks" \
     "Setting HUSKY=0 disables pre-commit, commit-msg, and pre-push safety gates without --no-verify." \
@@ -243,8 +243,15 @@ if any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]
     "Alt: Move to a temp location first, or use 'rm -ri' for interactive deletion."
 fi
 
-# H12: curl/wget piped directly to shell (supply chain attack vector)
-if any_segment_matches "$CMD" '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
+# H12: curl/wget piped directly to shell (supply chain attack vector).
+# 0.16.1 helix-016 P1 fix: this check requires BOTH the curl/wget call
+# AND the `| sh` to appear in the same shell pipeline. The 0.16.0
+# refactor moved this into `any_segment_matches`, but the segmenter
+# splits on `|` first — so `curl https://x | sh` decomposed into two
+# segments (`curl https://x`, `sh`) and the regex (which requires both
+# in one segment) never matched. Pipe-RCE is fundamentally a
+# multi-segment property and must be checked against the raw command.
+if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \
@@ -268,7 +275,7 @@ if any_segment_starts_with "$CMD" 'git[[:space:]]+-c[[:space:]]+core\.hookspath'
 fi
 
 # H15: REA_BYPASS env var — attempted escape hatch
-if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
+if any_segment_raw_matches "$CMD" '^REA_BYPASS[[:space:]]*='; then
   add_high \
     "REA_BYPASS env var — unauthorized bypass attempt" \
     "Setting REA_BYPASS is not a supported escape mechanism and indicates a bypass attempt." \
@@ -276,7 +283,7 @@ if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*=';
 fi
 
 # H16: alias/function definitions containing bypass strings
-if any_segment_matches "$CMD" '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
+if any_segment_raw_matches "$CMD" '^(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
   add_high \
     "Alias/function definition with bypass — circumventing safety gates" \
     "Defining aliases or functions that embed bypass flags defeats safety hooks." \

package/hooks/dependency-audit-gate.sh

@@ -73,15 +73,35 @@ extract_packages() {
     # Anchor to start: only match when the install command is the FIRST
     # thing on the segment, optionally preceded by `sudo` / `exec` /
     # `time` / etc.
-    if printf '%s' "$segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
+    #
+    # 0.16.1 helix-016 P2 fix: also strip leading KEY=VALUE env-var
+    # assignments. Pre-fix the prefix allow-list only permitted
+    # sudo/exec/time, so `CI=1 pnpm add foo` and
+    # `NODE_ENV=development npm install bar` bypassed the audit
+    # entirely. POSIX shell allows any number of leading KEY=VALUE
+    # assignments before the command word; we strip them the same
+    # way the shell does.
+    local stripped_segment
+    stripped_segment=$(printf '%s' "$segment" | sed -E 's/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+)+//')
+
+    if printf '%s' "$stripped_segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
       # Strip the leading prefix wrappers + install command, leaving args.
       local after_cmd
-      after_cmd=$(printf '%s' "$segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
+      after_cmd=$(printf '%s' "$stripped_segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
 
       for token in $after_cmd; do
         if [[ "$token" == -* ]]; then continue; fi
         if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
         if [[ -z "$token" ]]; then continue; fi
+        # 0.16.1: tighten token classification (helix-016 sibling concern).
+        # A "package name" is something that doesn't contain shell
+        # metacharacters — `2>&1`, `$VAR`, etc. are never valid npm
+        # package names. Skip any token containing `=`, `>`, `<`, `&`,
+        # `|`, `;`, `$`, backtick, or quotes.
+        if [[ "$token" == *=* || "$token" == *">"* || "$token" == *"<"* ||
+              "$token" == *"&"* || "$token" == *"|"* || "$token" == *";"* ||
+              "$token" == *'$'* || "$token" == *'`'* ||
+              "$token" == *'"'* || "$token" == *"'"* ]]; then continue; fi
         # `npm view` can't validate `@workspace:*` / `link:` / `file:`
         # prefixes (workspace protocols). Skip them — they're never npm
         # registry packages.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.16.0",
+  "version": "0.16.1",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",